Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Policies promoting wireless broadband in the United States wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Common Network Threats Lesson overview. In this lesson, we will cover: ● ● ● Inside jobs or threats. Outside threats. Wireless network threats. Inside jobs or threats. When most people consider security threats to networks or systems, they think about the threats that come from outside of an organization. However, in reality, the overwhelming majority of security breaches occur from within an organization. Some of the more common risks and threats are outlined below. Malicious employee. We may not know the reason why malicious employees are malicious, but they are difficult to defend against because they are already inside the defenses of the network. Additionally, because they are employees, authorization to resources has been granted to them in order for them to be able to do their jobs. One of the most effective defensive measures that can be utilized to protect against malicious employees is employing the principle of least privilege—only granting the least amount of authorization required for a person to get his or her work done. Highlights: ● ● Malicious employees are difficult to defend against, as the threat is already inside the network. One of the best defenses is using the principle of least privilege. Compromised system. Compromised systems are another threat. Once a PC or network device has been compromised, it is vitally important to isolate it from the system as a whole. A compromised PC could lead to a completely compromised network, as malware may be able to spread across its connections. Once malware has gained access to network resources, it can be extremely difficult root out and remove. Malware may also degrade the network’s performance, causing additional issues. Highlights: ● ● Once a PC or network device has been compromised, it is vitally important to isolate it from the system. A compromised PC or network device could lead to a completely compromised network, as malware may be able to spread across connections. Social engineering. Social engineering is the process of using social pressure to cause somebody to compromise a system from inside the defenses of the network. Social engineering pressure can be applied in multiple forms. An employee can receive a phone call from someone claiming to be from the IT department asking for his or her credentials. It may occur in person. The social engineering can also occur through email or through a rogue website. There are many avenues in which social engineering can occur. The best defense to protect against this is providing end user education. Training your end users to resist social engineering is a good idea. Highlights: ● ● Social engineering involves using social pressure to cause somebody to compromise a system from inside the network defenses. The pressure can be applied in multiple forms: by phone, in person, via email, through a rogue website, or by other methods. ARP (Address Resolution Protocol) cache poisoning. ARP (Address Resolution Protocol) cache poisoning is another threat that can occur on a network. With ARP cache poisoning, the ARP cache (which maps IP addresses to MAC addresses) is corrupted by an attacker with the end result being that the attacker has control of which IP addresses are associated with MAC addresses. It is commonly used in man-in-themiddle attacks. Highlights: ● ● ARP cache poisoning is corrupting the ARP cache, resulting in an attacker having control of which IP addresses are associated with MAC addresses. It is commonly used in man-in-the-middle attacks. Protocol or packet abuse. A protocol or packet abuse threat involves taking a specific protocol and repurposing it to perform a different function. Protocol abuse is commonly used to bypass a router’s access control list (ACL) from the inside of a network. An example of this is encapsulating a not allowed protocol within a DNS packet—which is almost always an allowed protocol—in order to get that un-allowed protocol out of the network. Highlights: ● ● Protocol or packet abuse is the process of taking a specific protocol and repurposing it to perform a different function. It is commonly used to bypass a router’s ACL from inside a network. Man-in-the-middle attack. A man-in-the-middle attack is another threat to be aware of. With a man-in-the-middle attack, the attacker is not necessarily inside the network per se, but is in between two endpoints that are communicating on a network. In most cases, a man-in-the-middle attack involves disrupting the ARP process between the two endpoints. The attack allows a malicious user to be able to view all network packets that are flowing between the communicating hosts. Often, a man-in- the-middle attack is used in an attempt to gain sensitive information, such as network credentials. Highlights: ● ● With a man-in-the-middle attack, the attacker is in between two endpoints that are communicating on a network. The attack allows a malicious user to view all network packets flowing between the communicating hosts. VLAN hopping. VLAN hopping involves circumventing the security that is inherent when virtual local area networks (VLANs) are created. Normally, traffic that is tagged for one VLAN is not allowed onto another VLAN without the intervention of a router. VLAN hopping occurs when an attacker adds an additional fake VLAN tag to the network packets. Once the packets get to the switch, the switch strips one of the VLAN tags off the packet and then passes it through. Once through the switch, the packet is considered as belonging to the new VLAN, thus bypassing the security that is inherent in VLANs. Highlights: ● ● VLAN hopping circumvents the security inherent when VLANs are created. VLAN hopping occurs when an attacker adds an additional fake VLAN tag to the network packets, allowing dangerous packets to cross into unprotected VLANs. Outside threats. While inside threats may constitute the majority of an organization’s security breaches, this does not mean that outside threats can be ignored. Most of the largest thefts of data in recent history have been traced to outside perpetrators. Security threats are constantly evolving and security experts need to keep pace in order to remain effective. Some of the most common threats are outlined below. Brute force attacks. Brute force attacks involve using computing power and time to compromise passwords. With this type of threat, the attacker uses a program that continually tries different password combinations—often in the form of a special dictionary application—in an effort to crack a password. The best defense against this is to limit the number of times that a user can attempt to log on before he or she is locked out. Highlights: ● ● Brute force attacks involve using computing power and time to compromise passwords. The attacker uses a program that continually tries different password combinations in an effort to crack a password. Spoofing. Spoofing is a category of threats where either the MAC address or the IP address of the attacker has been modified to look like a friendly address in order to bypass network security. In the past, it was common for an attacker to spoof his or her IP addresses so that it was actually viewed as an inside host. A best practice to defend against this type of spoofing is an ACL rule that doesn't allow an inside IP address to come from outside of the network. Highlights: ● ● With spoofing, either the MAC address or IP address of an attacker is modified to look like a friendly address to bypass network security. A common use in the past was to spoof the IP address, so that an outside attacker was actually viewed as an inside host. Session hijacking. In session hijacking, an attacker attempts to take over a communication session after a user has been authenticated. The hijacking can occur through various methods, such as using a packet sniffer to steal a session cookie or installing malware on a user’s computer that is activated after the user is authenticated. A man-in-the-middle attack is often used as a prelude to a session hijacking attack. Highlights: ● ● In session hijacking, an attacker attempts to take over a communication session after a user has been authenticated. A man-in-the-middle attack is often used as a prelude to a session hijacking attack. DoS (Denial of Service) threats. The denial of service (DoS) threat actually covers a very broad category of threats to networks and systems. This is because DoS applies to any threat that can potentially keep users or customers from using network resources as designed. Highlights: ● ● DoS threats cover a very broad category of threats to networks and systems. Any threat that can potentially keep users or customers from using network resources as designed is considered a DoS threat. Traditional DoS attacks. A traditional DoS attack attempts to flood a network with enough traffic to bring it down. It is commonly used with a flood of malformed ICMP requests. The host that receives the flood can be so busy dealing with the deluge of data that it cannot respond to legitimate requests. Highlights: ● ● Traditional DoS attacks attempt to flood a network with enough rouge traffic to stop it from responding to legitimate requests. It is commonly used with a flood of malformed ICMP requests. Permanent DoS attacks. A permanent DoS attack is an attempt to permanently deny a network resource for others. It can be achieved by physically destroying or removing the resource. It can also be achieved through the use of malware that corrupts or damages the underlying digital system to the point where it cannot be repaired and must be replaced. Highlights: ● ● A permanent DoS attack is an attempt to permanently deny a network resource for others. It can be achieved by physically destroying or removing the resource or by using malware to corrupt or damage the underlying system. Friendly or unintentional DoS attacks. There are also friendly or unintentional DoS attacks. An unintended DoS attack can occur when poorly written applications consume more network resources than are available. Unintentional DoS attacks can also occur when a network interface controller (NIC) begins to fail. It is quite common when a NIC is about to fail for it to go offline and come back online repeatedly and rapidly. This consumes network resources, which can cause an unintentional DoS attack. Highlights: ● ● An unintentional DoS attack can occur when a poorly written application consumes more network resources than are available. An unintentional DoS attack can also occur when a NIC begins to fail. Distributed DoS (DDoS) attacks. More disruptive than the standard DoS attack is the distributed denial of service (DDoS) attack. It is a denial of service attack in which more than a single system is involved in sending the attack. A DDoS attack has a higher chance of succeeding due to the increased number of participants. The machines used to send the attack may be voluntary participants—this is called a coordinated attack—or they may be part of a botnet. With a botnet, malware has been installed on machines and they are no longer under the complete control of their owners. Many DDoS attacks involve botnets where the attacker has actually rented the botnet for the sole purpose of performing the DDoS. The goal of the DDoS is to create a large enough spike in traffic that the target becomes unreachable. In some cases, the target system may need to be rebooted in order for it to come back online. Highlights: ● ● A DDoS attack is a DoS attack in which more than a single system is involved in sending the attack. The machines used to send the DDoS may be voluntary participants or they may be part of a botnet. Reflective DoS (also known as amplified DoS) attacks. The reflective denial of service attack is also known as an amplified DoS. In this case, the attacker uses some method—usually some form of spoofing—to hide the source of the attack. In a reflective DNS attack, the attacker usually spoofs the intended target's IP address and sends multiple requests to an open DNS server. The DNS server responds by sending traffic back to the targeted system. The attacker's hope is that the response from the DNS server will overwhelm the targeted system. A cousin to the reflective DNS attack is the reflective NTP (network time protocol) attack. It works in the same way. However, instead of using DNS, it relies on open NTP servers. Highlights: ● ● ● In a reflective DoS attack, the attacker uses some method—usually some form of spoofing—to hide the source of the attack. In a reflective DNS attack, the attacker usually spoofs the intended target’s IP address and sends multiple requests to an open DNS server. A reflective NTP attack works in the same way; however, instead of using DNS, it relies upon open NTP servers. Smurf attacks or Smurfing. Not very common anymore (but something that still should be known about) are Smurf attacks—also known as Smurfing. They are a type of reflective DoS attack that also involves spoofing the intended target's IP address. With a Smurf attack, a network is flooded with ICMP requests in which the source address for the requests appears to be that of the intended target. As the reply is returned, the network becomes slowed down by the traffic. The goal is to overwhelm the target system and bring it down. Highlights: ● ● A Smurf attack is a type of reflective DoS that also involves spoofing the intended target’s IP address. A network is flooded with ICMP requests in which the source address for the requests appears to be that of the intended target. Zero day attacks. One of the largest threats that face network security personnel is the unknown vulnerability. Network and system administrators expend a fair amount of effort protecting the assets under their control and they can do a good job of hardening their systems, but not a perfect job. The problem lies with zero day attacks. Zero day attacks take advantage of either new or very recently discovered vulnerabilities, which means that networks and systems probably haven’t yet been hardened against them. The unfortunate reality is that attacks keep changing and security experts must also be willing to adapt in order to keep pace. Highlights: ● Zero day attacks take advantage of either new or recently discovered vulnerabilities, which networks and systems haven't yet been protected from. ● The unfortunate reality is that attacks keep changing and security experts must be willing to adapt in order to keep pace. Wireless network threats. Wireless networking represents a unique challenge to security. By their very nature, wireless networks broadcast their transmissions over the air, making them easy to be intercepted. There are a number of threats that are specific to wireless networks. Some common threats are outlined below. Wi-Fi Protected Setup (WPS). A common feature on a modern wireless access point (WAP) is Wi-Fi Protected Setup (WPS). The goal of WPS is to create an easy and secure method for consumers and small businesses to set up a secure wireless network. Unfortunately, the outcome has fallen short of the goal. While WPS does ease the setup burden, it is also easily exploited by an attacker and should actually be disabled on all equipment. Highlights: ● ● WPS was created to simplify secure wireless setup. It is extremely insecure and should not be used. War driving/war chalking. War driving or war chalking is the practice of attempting to sniff out unprotected, or minimally protected, wireless networks. Once such networks are found, marks are placed on buildings and streets indicating that networks are available and vulnerable. Something to remember is that wireless networks are vulnerable merely due to the fact that they need to broadcast over the air. Highlights: ● ● War driving/war chalking is the practice of attempting to sniff out unprotected or minimally protected wireless networks. Once found, marks are placed on buildings and streets indicating what networks are available and vulnerable. WEP cracking/WPA cracking. WEP cracking or WPA cracking is using a packet sniffer to capture the password and/or the preshared key on a wireless network. Wired Equivalent Privacy (WEP) can be cracked in minutes. Wi-Fi Protected Access (WPA) cracking will take hours, but it can still be cracked. Neither of these encryption standards should be used on wireless networks. Highlights: ● ● WEP or WPA cracking is the use of a packet sniffer to capture the password or preshared key on a wireless network. WEP can be cracked in minutes. ● WPA cracking will take hours, but can still be done. Rogue access point attack. Rogue access point attacks are another threat that technicians should be familiar with. A rogue access point is an unauthorized WAP that gets installed onto a network. Unfortunately, the biggest culprits in this situation are the end users themselves. They often install their own WAPs for convenience and then don't properly secure them, opening a vulnerability into the network. Administrators should periodically check for rogue access points on their networks, even if wireless is not installed. Highlights: ● ● A rogue access point is an unauthorized WAP that gets installed on a network. The biggest culprits are the end users who install their own WAPs for convenience and don’t properly secure them. Evil twin attack. Related to the rogue wireless access point attack, is the evil twin attack. In such an attack, a WAP is installed and configured with an SSID that is very similar to the authorized version. As users access the evil twin, their keystrokes are captured in the hopes of gaining sensitive information, such as the credentials to log in to the actual wireless network. An evil twin attack can also be considered a type of wireless phishing attack. Highlights: ● ● An evil twin attack is a type of rogue access point attack. A WAP is installed and configured with an SSID that is very similar to the authorized version and, as users access the twin, their keystrokes are captured. Bluejacking. Bluejacking involves sending unsolicited messages over a Bluetooth connection in an effort to keep the target from responding to valid requests. It is more of an annoyance than an actual network threat, as it mostly involves a personal area network (PAN)—which tend to be very limited in their abilities. Highlights: ● Bluejacking involves sending unsolicited messages over a Bluetooth connection in an effort to keep the target from responding to valid requests. Bluesnarfing. Related to Bluejacking is Bluesnarfing. This an attack in which the attacker creates a Bluetooth connection with another device without that device's permission. The goal is to retrieve information from the compromised device, such as contact information or stored email. This vulnerability has been patched and may no longer be a concern, but is still something to be aware of. Highlights: ● ● Bluesnarfing is an attack in which the attacker creates a Bluetooth connection with another device without that device’s permission. The goal is to retrieve information from the compromised device. What was covered. Inside jobs or threats. Given the nature and purpose of networks, it can be difficult to make them secure. Common threats that come from within the network itself are: malicious employees, compromised systems, social engineering, ARP cache poisoning, protocol or packet abuse, man-in-the-middle attacks, and VLAN hopping. Outside threats. Some outside threats include: brute force attacks, spoofing attacks, and session hijacking. A very common and broad category of threats is DoS. There are many types of DoS threats, including traditional DoS, permanent DoS, friendly or unintentional DoS, DDoS, reflective DoS, and Smurf attacks. Of major concern to network security personnel are zero day attacks (the exploitation of previously unknown vulnerabilities) and it is imperative that they keep current with what is being developed. Wireless network threats. WPS creates an easy method of placing security on a wireless network, but it also creates a vulnerability in the network. Threats that face wireless networks include war driving or chalking, WEP or WPA cracking, rogue access points, and evil twin attacks. Bluetooth networks are also vulnerable to Bluejacking and, possibly, Bluesnarfing.